Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48020

CSRF in mod/forum/subscribe_ajax.php

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.8
    • Fix Version/s: 2.8
    • Component/s: Forum
    • Labels:
    • Testing Instructions:
      Hide
      1. Toggle subscription to discussions with JS
        • Confirm that your changes were respected and no errors thrown
      2. Try to (deliberately) remove the sesskey
        • Confirm that you get an error about missing sesskey checks
      Show
      Toggle subscription to discussions with JS Confirm that your changes were respected and no errors thrown Try to (deliberately) remove the sesskey Confirm that you get an error about missing sesskey checks
    • Affected Branches:
      MOODLE_28_STABLE
    • Fixed Branches:
      MOODLE_28_STABLE

      Description

      where is sesskey check? There is no need for optional_param('sesskey')

      Also the \mod_forum\subscriptions::subscribe_user_to_discussion() should check if user is guest account.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              dobedobedoh Andrew Nicols
              Reporter:
              skodak Petr Skoda
              Peer reviewer:
              Frédéric Massart
              Integrator:
              Dan Poltawski
              Tester:
              Simey Lameze
              Participants:
              Component watchers:
              Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                10/Nov/14